Make ERC2771Context return original sender address if msg.data.length <= 20
#4481
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
🦋 Changeset detectedLatest commit: f056ce5 The changes in this PR will be included in the next version bump. This PR includes changesets to release 1 package
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
Amxx
reviewed
Jul 25, 2023
Co-authored-by: Hadrien Croubois <hadrien.croubois@gmail.com>
Amxx
reviewed
Jul 25, 2023
Amxx
previously approved these changes
Jul 25, 2023
Co-authored-by: Hadrien Croubois <hadrien.croubois@gmail.com>
|
I thought accepting a suggestion doesn't dismiss reviews, but it does. |
frangio
reviewed
Jul 25, 2023
frangio
reviewed
Jul 25, 2023
Co-authored-by: Francisco <fg@frang.io>
frangio
approved these changes
Jul 25, 2023
Amxx
approved these changes
Jul 25, 2023
|
For future observers, the title of this PR says |
Woodpile37
added a commit
to Woodpile37/EIPs
that referenced
this pull request
Oct 29, 2023
<p>This PR was automatically created by Snyk using the credentials of a
real user.</p><br /><h3>Snyk has created this PR to upgrade
@openzeppelin/contracts from 4.9.3 to 5.0.0.</h3>
:information_source: Keep your dependencies up-to-date. This makes it
easier to fix existing vulnerabilities and to more quickly identify and
fix newly disclosed vulnerabilities when they affect your project.
<hr/>
*Warning:* This is a major version upgrade, and may be a breaking
change.
- The recommended version is **4 versions** ahead of your current
version.
- The recommended version was released **21 days ago**, on 2023-10-05.
<details>
<summary><b>Release notes</b></summary>
<br/>
<details>
<summary>Package name: <b>@openzeppelin/contracts</b></summary>
<ul>
<li>
<b>5.0.0</b> - <a
href="https://snyk.io/redirect/github/OpenZeppelin/openzeppelin-contracts/releases/tag/v5.0.0">2023-10-05</a></br><a
href="https://snyk.io/redirect/github/OpenZeppelin/openzeppelin-contracts/releases/tag/v5.0.0">
Read more </a>
</li>
<li>
<b>5.0.0-rc.2</b> - <a
href="https://snyk.io/redirect/github/OpenZeppelin/openzeppelin-contracts/releases/tag/v5.0.0-rc.2">2023-10-02</a></br><ul>
<li><code>AccessManager</code>: Make <code>schedule</code> and
<code>execute</code> more conservative when delay is 0.</li>
</ul>
</li>
<li>
<b>5.0.0-rc.1</b> - <a
href="https://snyk.io/redirect/github/OpenZeppelin/openzeppelin-contracts/releases/tag/v5.0.0-rc.1">2023-09-28</a></br><ul>
<li>Upgradeable Contracts: No longer transpile interfaces, libraries,
and stateless contracts. (<a
href="https://snyk.io/redirect/github/OpenZeppelin/openzeppelin-contracts/pull/4636"
data-hovercard-type="pull_request"
data-hovercard-url="/OpenZeppelin/openzeppelin-contracts/pull/4636/hovercard">ethereum#4636</a>)</li>
<li><code>AccessManager</code>, <code>AccessManaged</code>,
<code>GovernorTimelockAccess</code>: Ensure that calldata shorter than 4
bytes is not padded to 4 bytes. (<a
href="https://snyk.io/redirect/github/OpenZeppelin/openzeppelin-contracts/pull/4624"
data-hovercard-type="pull_request"
data-hovercard-url="/OpenZeppelin/openzeppelin-contracts/pull/4624/hovercard">ethereum#4624</a>)</li>
<li><code>AccessManager</code>: Use named return parameters in functions
that return multiple values. (<a
href="https://snyk.io/redirect/github/OpenZeppelin/openzeppelin-contracts/pull/4624"
data-hovercard-type="pull_request"
data-hovercard-url="/OpenZeppelin/openzeppelin-contracts/pull/4624/hovercard">ethereum#4624</a>)</li>
</ul>
</li>
<li>
<b>5.0.0-rc.0</b> - <a
href="https://snyk.io/redirect/github/OpenZeppelin/openzeppelin-contracts/releases/tag/v5.0.0-rc.0">2023-09-19</a></br><a
href="https://snyk.io/redirect/github/OpenZeppelin/openzeppelin-contracts/releases/tag/v5.0.0-rc.0">
Read more </a>
</li>
<li>
<b>4.9.3</b> - <a
href="https://snyk.io/redirect/github/OpenZeppelin/openzeppelin-contracts/releases/tag/v4.9.3">2023-07-28</a></br><div
class="markdown-alert markdown-alert-note"><p><span
class="color-fg-accent text-semibold d-inline-flex flex-items-center
mb-1"><svg class="octicon octicon-info mr-2" viewBox="0 0 16 16"
version="1.1" width="16" height="16" aria-hidden="true"><path d="M0 8a8
8 0 1 1 16 0A8 8 0 0 1 0 8Zm8-6.5a6.5 6.5 0 1 0 0 13 6.5 6.5 0 0 0
0-13ZM6.5 7.75A.75.75 0 0 1 7.25 7h1a.75.75 0 0 1 .75.75v2.75h.25a.75.75
0 0 1 0 1.5h-2a.75.75 0 0 1 0-1.5h.25v-2h-.25a.75.75 0 0 1-.75-.75ZM8
6a1 1 0 1 1 0-2 1 1 0 0 1 0 2Z"></path></svg>Note</span><br>
This release contains a fix for <a
href="https://snyk.io/redirect/github/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-g4vp-m682-qqmp">GHSA-g4vp-m682-qqmp</a>.</p></div>
<ul>
<li><code>ERC2771Context</code>: Return the forwarder address whenever
the <code>msg.data</code> of a call originating from a trusted forwarder
is not long enough to contain the request signer address (i.e.
<code>msg.data.length</code> is less than 20 bytes), as specified by
ERC-2771. (<a
href="https://snyk.io/redirect/github/OpenZeppelin/openzeppelin-contracts/pull/4481"
data-hovercard-type="pull_request"
data-hovercard-url="/OpenZeppelin/openzeppelin-contracts/pull/4481/hovercard">ethereum#4481</a>)</li>
<li><code>ERC2771Context</code>: Prevent revert in
<code>_msgData()</code> when a call originating from a trusted forwarder
is not long enough to contain the request signer address (i.e.
<code>msg.data.length</code> is less than 20 bytes). Return the full
calldata in that case. (<a
href="https://snyk.io/redirect/github/OpenZeppelin/openzeppelin-contracts/pull/4484"
data-hovercard-type="pull_request"
data-hovercard-url="/OpenZeppelin/openzeppelin-contracts/pull/4484/hovercard">ethereum#4484</a>)</li>
</ul>
</li>
</ul>
from <a
href="https://snyk.io/redirect/github/OpenZeppelin/openzeppelin-contracts/releases">@openzeppelin/contracts
GitHub release notes</a>
</details>
</details>
<hr/>
**Note:** *You are seeing this because you or someone else with access
to this repository has authorized Snyk to open upgrade PRs.*
For more information: <img
src="https://api.segment.io/v1/pixel/track?data=eyJ3cml0ZUtleSI6InJyWmxZcEdHY2RyTHZsb0lYd0dUcVg4WkFRTnNCOUEwIiwiYW5vbnltb3VzSWQiOiJjMDUxYjcyNi0zNzViLTRjODgtYmI2NS1iOTJjYTk5MjgxOWQiLCJldmVudCI6IlBSIHZpZXdlZCIsInByb3BlcnRpZXMiOnsicHJJZCI6ImMwNTFiNzI2LTM3NWItNGM4OC1iYjY1LWI5MmNhOTkyODE5ZCJ9fQ=="
width="0" height="0"/>
🧐 [View latest project
report](https://app.snyk.io/org/woodpile37/project/ada51a90-dc7c-4239-82d9-c94c84ce1884?utm_source=github&utm_medium=referral&page=upgrade-pr)
🛠 [Adjust upgrade PR
settings](https://app.snyk.io/org/woodpile37/project/ada51a90-dc7c-4239-82d9-c94c84ce1884/settings/integration?utm_source=github&utm_medium=referral&page=upgrade-pr)
🔕 [Ignore this dependency or unsubscribe from future upgrade
PRs](https://app.snyk.io/org/woodpile37/project/ada51a90-dc7c-4239-82d9-c94c84ce1884/settings/integration?pkg=@openzeppelin/contracts&utm_source=github&utm_medium=referral&page=upgrade-pr#auto-dep-upgrades)
<!---
(snyk:metadata:{"prId":"c051b726-375b-4c88-bb65-b92ca992819d","prPublicId":"c051b726-375b-4c88-bb65-b92ca992819d","dependencies":[{"name":"@openzeppelin/contracts","from":"4.9.3","to":"5.0.0"}],"packageManager":"npm","type":"auto","projectUrl":"https://app.snyk.io/org/woodpile37/project/ada51a90-dc7c-4239-82d9-c94c84ce1884?utm_source=github&utm_medium=referral&page=upgrade-pr","projectPublicId":"ada51a90-dc7c-4239-82d9-c94c84ce1884","env":"prod","prType":"upgrade","vulns":[],"issuesToFix":[],"upgrade":[],"upgradeInfo":{"versionsDiff":4,"publishedDate":"2023-10-05T18:00:56.344Z"},"templateVariants":[],"hasFixes":false,"isMajorUpgrade":true,"isBreakingChange":true,"priorityScoreList":[]})
--->
Woodpile37
added a commit
to Woodpile37/EIPs
that referenced
this pull request
Oct 30, 2023
<p>This PR was automatically created by Snyk using the credentials of a
real user.</p><br /><h3>Snyk has created this PR to upgrade
@openzeppelin/contracts from 4.9.3 to 5.0.0.</h3>
:information_source: Keep your dependencies up-to-date. This makes it
easier to fix existing vulnerabilities and to more quickly identify and
fix newly disclosed vulnerabilities when they affect your project.
<hr/>
*Warning:* This is a major version upgrade, and may be a breaking
change.
- The recommended version is **4 versions** ahead of your current
version.
- The recommended version was released **24 days ago**, on 2023-10-05.
<details>
<summary><b>Release notes</b></summary>
<br/>
<details>
<summary>Package name: <b>@openzeppelin/contracts</b></summary>
<ul>
<li>
<b>5.0.0</b> - <a
href="https://snyk.io/redirect/github/OpenZeppelin/openzeppelin-contracts/releases/tag/v5.0.0">2023-10-05</a></br><a
href="https://snyk.io/redirect/github/OpenZeppelin/openzeppelin-contracts/releases/tag/v5.0.0">
Read more </a>
</li>
<li>
<b>5.0.0-rc.2</b> - <a
href="https://snyk.io/redirect/github/OpenZeppelin/openzeppelin-contracts/releases/tag/v5.0.0-rc.2">2023-10-02</a></br><ul>
<li><code>AccessManager</code>: Make <code>schedule</code> and
<code>execute</code> more conservative when delay is 0.</li>
</ul>
</li>
<li>
<b>5.0.0-rc.1</b> - <a
href="https://snyk.io/redirect/github/OpenZeppelin/openzeppelin-contracts/releases/tag/v5.0.0-rc.1">2023-09-28</a></br><ul>
<li>Upgradeable Contracts: No longer transpile interfaces, libraries,
and stateless contracts. (<a
href="https://snyk.io/redirect/github/OpenZeppelin/openzeppelin-contracts/pull/4636"
data-hovercard-type="pull_request"
data-hovercard-url="/OpenZeppelin/openzeppelin-contracts/pull/4636/hovercard">ethereum#4636</a>)</li>
<li><code>AccessManager</code>, <code>AccessManaged</code>,
<code>GovernorTimelockAccess</code>: Ensure that calldata shorter than 4
bytes is not padded to 4 bytes. (<a
href="https://snyk.io/redirect/github/OpenZeppelin/openzeppelin-contracts/pull/4624"
data-hovercard-type="pull_request"
data-hovercard-url="/OpenZeppelin/openzeppelin-contracts/pull/4624/hovercard">ethereum#4624</a>)</li>
<li><code>AccessManager</code>: Use named return parameters in functions
that return multiple values. (<a
href="https://snyk.io/redirect/github/OpenZeppelin/openzeppelin-contracts/pull/4624"
data-hovercard-type="pull_request"
data-hovercard-url="/OpenZeppelin/openzeppelin-contracts/pull/4624/hovercard">ethereum#4624</a>)</li>
</ul>
</li>
<li>
<b>5.0.0-rc.0</b> - <a
href="https://snyk.io/redirect/github/OpenZeppelin/openzeppelin-contracts/releases/tag/v5.0.0-rc.0">2023-09-19</a></br><a
href="https://snyk.io/redirect/github/OpenZeppelin/openzeppelin-contracts/releases/tag/v5.0.0-rc.0">
Read more </a>
</li>
<li>
<b>4.9.3</b> - <a
href="https://snyk.io/redirect/github/OpenZeppelin/openzeppelin-contracts/releases/tag/v4.9.3">2023-07-28</a></br><div
class="markdown-alert markdown-alert-note"><p><span
class="color-fg-accent text-semibold d-inline-flex flex-items-center
mb-1"><svg class="octicon octicon-info mr-2" viewBox="0 0 16 16"
version="1.1" width="16" height="16" aria-hidden="true"><path d="M0 8a8
8 0 1 1 16 0A8 8 0 0 1 0 8Zm8-6.5a6.5 6.5 0 1 0 0 13 6.5 6.5 0 0 0
0-13ZM6.5 7.75A.75.75 0 0 1 7.25 7h1a.75.75 0 0 1 .75.75v2.75h.25a.75.75
0 0 1 0 1.5h-2a.75.75 0 0 1 0-1.5h.25v-2h-.25a.75.75 0 0 1-.75-.75ZM8
6a1 1 0 1 1 0-2 1 1 0 0 1 0 2Z"></path></svg>Note</span><br>
This release contains a fix for <a
href="https://snyk.io/redirect/github/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-g4vp-m682-qqmp">GHSA-g4vp-m682-qqmp</a>.</p></div>
<ul>
<li><code>ERC2771Context</code>: Return the forwarder address whenever
the <code>msg.data</code> of a call originating from a trusted forwarder
is not long enough to contain the request signer address (i.e.
<code>msg.data.length</code> is less than 20 bytes), as specified by
ERC-2771. (<a
href="https://snyk.io/redirect/github/OpenZeppelin/openzeppelin-contracts/pull/4481"
data-hovercard-type="pull_request"
data-hovercard-url="/OpenZeppelin/openzeppelin-contracts/pull/4481/hovercard">ethereum#4481</a>)</li>
<li><code>ERC2771Context</code>: Prevent revert in
<code>_msgData()</code> when a call originating from a trusted forwarder
is not long enough to contain the request signer address (i.e.
<code>msg.data.length</code> is less than 20 bytes). Return the full
calldata in that case. (<a
href="https://snyk.io/redirect/github/OpenZeppelin/openzeppelin-contracts/pull/4484"
data-hovercard-type="pull_request"
data-hovercard-url="/OpenZeppelin/openzeppelin-contracts/pull/4484/hovercard">ethereum#4484</a>)</li>
</ul>
</li>
</ul>
from <a
href="https://snyk.io/redirect/github/OpenZeppelin/openzeppelin-contracts/releases">@openzeppelin/contracts
GitHub release notes</a>
</details>
</details>
<hr/>
**Note:** *You are seeing this because you or someone else with access
to this repository has authorized Snyk to open upgrade PRs.*
For more information: <img
src="https://api.segment.io/v1/pixel/track?data=eyJ3cml0ZUtleSI6InJyWmxZcEdHY2RyTHZsb0lYd0dUcVg4WkFRTnNCOUEwIiwiYW5vbnltb3VzSWQiOiI2NGQ0NjcxOS01ZDIzLTQ1MjYtYWJiOC00OGEwZmQ1N2QxZjgiLCJldmVudCI6IlBSIHZpZXdlZCIsInByb3BlcnRpZXMiOnsicHJJZCI6IjY0ZDQ2NzE5LTVkMjMtNDUyNi1hYmI4LTQ4YTBmZDU3ZDFmOCJ9fQ=="
width="0" height="0"/>
🧐 [View latest project
report](https://app.snyk.io/org/woodpile37/project/f0dcf1c9-ecf1-445b-bc07-e8f73c595f54?utm_source=github&utm_medium=referral&page=upgrade-pr)
🛠 [Adjust upgrade PR
settings](https://app.snyk.io/org/woodpile37/project/f0dcf1c9-ecf1-445b-bc07-e8f73c595f54/settings/integration?utm_source=github&utm_medium=referral&page=upgrade-pr)
🔕 [Ignore this dependency or unsubscribe from future upgrade
PRs](https://app.snyk.io/org/woodpile37/project/f0dcf1c9-ecf1-445b-bc07-e8f73c595f54/settings/integration?pkg=@openzeppelin/contracts&utm_source=github&utm_medium=referral&page=upgrade-pr#auto-dep-upgrades)
<!---
(snyk:metadata:{"prId":"64d46719-5d23-4526-abb8-48a0fd57d1f8","prPublicId":"64d46719-5d23-4526-abb8-48a0fd57d1f8","dependencies":[{"name":"@openzeppelin/contracts","from":"4.9.3","to":"5.0.0"}],"packageManager":"npm","type":"auto","projectUrl":"https://app.snyk.io/org/woodpile37/project/f0dcf1c9-ecf1-445b-bc07-e8f73c595f54?utm_source=github&utm_medium=referral&page=upgrade-pr","projectPublicId":"f0dcf1c9-ecf1-445b-bc07-e8f73c595f54","env":"prod","prType":"upgrade","vulns":[],"issuesToFix":[],"upgrade":[],"upgradeInfo":{"versionsDiff":4,"publishedDate":"2023-10-05T18:00:56.344Z"},"templateVariants":[],"hasFixes":false,"isMajorUpgrade":true,"isBreakingChange":true,"priorityScoreList":[]})
--->
This was referenced Sep 11, 2024
This was referenced Sep 12, 2024
This was referenced Sep 15, 2024
This was referenced Sep 19, 2024
This was referenced Nov 9, 2024
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes an audit finding. Report will be published soon.
The current implementation of the ERC2771Forwarder doesn't check that the
msg.datahas a length of at least the ERC2771 suffixed address, nullifying the result and producing theaddress(0)whenever accessing an out-of-boundscalldatalocation (i.e. calldata with size 19).This PR checks for the correct length and falls back to the original sender.
Fixes LIB-984